Few things in cyber security have become as ubiquitous in organisations, modern parlance and even the familial home as Ransomware. Its deleterious effects are well documented. And despite a typically unchecked litany of statistics surrounding its increase in volume, variety and velocity (often out with reality), there’s little doubt Ransomware is the problem child of the profession.
Only 4 days ago, the UK ICO announced its first fine for a national firm subject to such extortion –– Tuckers solicitors were handed a £98,000 penalty for failing to secure court bundles, later published on the dark web and held to ransom. Save the armfuls of stolen confidential data–some 24,712 court documents out of a total 972,191 files–the costly slap on the wrist may appear prematurely harsh, given Tuckers reported the breach (and pulled the plug on effected systems) within 24 hours of detection. Yet, the control deficiencies exploited were predictable. Like Hansel and Gretel, the proverbial breadcrumbs of the attack can be traced back to no MFA and no encryption on the breached archived server. This pattern of behaviour is predictable, with many victims apologetically offering piecemeal security investment in the fallout.
But contrition in the aftermath is of little value, instead becoming a hallmark of the unprepared. Organisations should operate on the assumption they’ll be attacked with a view to maintaining operational resilience when hit. To this end, the remedy is well established –– a blend of preventative, detective and corrective capabilities. The holy trinity of security is no panacea but remains a useful prism through which to select the necessary measures to reduce exposure to loss.
Notwithstanding, the ransomware threat landscape paints an unsettling picture: more Pollock than Pissarro. Whilst the attack method in its embryonic adoption cost criminals little time or treasure, the status quo is changing. In recent years, the levers of power for organised criminal groups (OCGs) have developed, with cyber attackers gaining increased purchase in the politics, economics and sociology of criminal activity. None epitomise this more than Conti. Messers Krebs and co. have documented their developing tactics, techniques and procedures (TTPs) writ large. The group is undoubtedly the gold medal winner in the criminal Olympics, gaining ballooning reward and notoriety. In 2021 alone they stole $180m in loot, with their primary Bitcoin address holding more than $2bn in digital currency by late February 2022. But success comes at a price. Conti’s target operating model has undergone a significant step-change as the cost-benefit fulcrum starts to imbalance. Though unlikely to be glutted with McKinsey presentations and punctilious compliance teams, be under no illusion –– the ransomware doyen is fast-becoming a sizeable enterprise. Recently-leaked diary entries have spilled the quotidian concerns of the criminal group, the least of which being an increasingly expensive operational cost model that includes renting virtual private servers (VPS) and maintaining myriad VPN subscriptions (including masking purchases of various security products). However, the greater disquiet within the leadership hierarchy lies in HR: maintaining competitive employee salaries, training negotiation teams and preventing escalating rates of attrition. Conti’s attention is now reorienting internally in an effort to win the battle for hearts and minds of its employees. Even criminals have rent to pay and mouths to feed.
This has not deterred the group’s criminal activities in the fifth domain. Its motivational legs are growing. Monetary gain is no longer the key objective, particularly in the context of the Ukrainian-Russo conflict –– instead, politically-aligned outcomes that support its role as Putin’s proxy. Conti et. Al continue to demonstrate scant restraint in exploiting a target-rich environment to levy reputational and operational damage. The struggle is now mitigating an enemy that not only wants gold but to publicise the embarrassment of losing it as well.
Yet, a sturdy handrail for organisations exists. Beyond the ancillary support of federal agencies and 3rd party retainers, a useful control catalogue can be deployed to embed the resiliency needed to sustain an organisation throughout an attack.
Firstly, robust preventative and detective controls are critical, be it Network Behaviour Analytics, EDR, Vulnerability Management etc. Configuration must be orchestrated across the security tool stack and focus placed on carefully-crafted use cases that reflect the organisation’s key threat profiles. Without this, systems are rendered otiose, delivering little value-add. Groups, including Conti, routinely compromise Active Directories in the hunt for privileged, well-positioned individuals. As such, capabilities including Privileged Access Management (PAM), Security Orchestration, Automation and Response (SOAR) and User & Entity Behaviour Analytics (UEBA) are required not only to build out incremental detail of an organisation’s movers and shakers but to leverage machine learning to underpin automated response.
Secondly, back-up. What’s become received wisdom in ransomware response strategy is often ironically paid lip-service. Effective back-up includes segregation from the main estate, duplication to different types of media and maintaining at least one version offsite. Moreover, a frequently tested process for restore in the event of infection and lockout. A golden image should be on standby for deployment to reduce the loss exposure caused by downtime. This may seem banal-with many organisations willing the end, not the means-but ransomware groups are now au fait with techniques to bypass back-up storage vendors, encrypting both back-ups and the primary estate. Organisations can no longer rest idle.
Ransomware will persist as one of the most effective digital cudgels –– crass and effective, it furnishes attackers with the ability to exact significant damage with brilliant éclat. But organisations have a growing arsenal of security measures available, not least those mentioned above. Clear strategic planning; effective preventative and detective capabilities; comprehensive, encrypted back-ups; habitually-tested playbooks. These measures bolster organisations’ security posture and embed long-term, proactive resilience. The key credo is praemonitus, praemunitus –– forewarned is forearmed. Fortune favours the prepared.
AJH